summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@redhat.com>2016-05-03 09:28:36 +0200
committerNikos Mavrogiannopoulos <nmav@redhat.com>2016-05-03 12:58:55 +0200
commitee943f5063c9854c4ba84bdf25b272a32a409971 (patch)
treefa198123920c3bd710ea463f605f0882c4ab94c6
parentdd30b179ca0ca989b2ab18e00fa392eef5bfb677 (diff)
downloadgnutls-ee943f5063c9854c4ba84bdf25b272a32a409971.tar.gz
pkcs11: the flag GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT will be respected by imported certificates
That is, certificates imported with gnutls_pkcs11_obj_import_url() or gnutls_x509_crt_import_url() will be able to be extracted with their extensions overriden. Previously that was available only on gnutls_pkcs11_get_raw_issuer() and friends.
Diffstat
-rw-r--r--lib/pkcs11.c18
1 files changed, 18 insertions, 0 deletions
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 699d9f1c26..2b5629d1c3 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -64,6 +64,7 @@ struct find_flags_data_st {
struct find_url_data_st {
gnutls_pkcs11_obj_t obj;
+ bool overwrite_exts; /* only valid if looking for a certificate */
};
struct find_obj_data_st {
@@ -1972,6 +1973,19 @@ find_obj_url_cb(struct ck_function_list *module, struct pkcs11_session_info *sin
cleanup:
pkcs11_find_objects_final(sinfo);
+ if (ret == 0 && find_data->overwrite_exts && find_data->obj->raw.size > 0) {
+ gnutls_datum_t spki;
+ rv = pkcs11_get_attribute_avalue(sinfo->module, sinfo->pks, obj, CKA_PUBLIC_KEY_INFO, &spki);
+ if (rv == CKR_OK) {
+ ret = pkcs11_override_cert_exts(sinfo, &spki, &find_data->obj->raw);
+ gnutls_free(spki.data);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+ }
+ }
+
return ret;
}
@@ -2024,6 +2038,10 @@ gnutls_pkcs11_obj_import_url(gnutls_pkcs11_obj_t obj, const char *url,
return ret;
}
+ if (flags & GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT) {
+ find_data.overwrite_exts = 1;
+ }
+
ret =
_pkcs11_traverse_tokens(find_obj_url_cb, &find_data, obj->info,
&obj->pin,
View Lorry Controller Status